Release notes

New features, enhancements, resolved issues, and known issues for Puppet Remediate 1.x release series.

Version 1.1.1

Released 9 January 2020

New in this release:

  • Scan refresh functionality - You can now manually trigger a rescan of all or selected resources from the Manage Sources page.
  • SUSE Linux 11 integration - Remediate now fully supports SUSE Linux 11.
  • Activity feed updates - The Recent Events table has been updated to include the username of the event initiator.

Resolved issues in this release:

  • Offline install - Remediate now uses a dedicated Docker image bundle and docker-compose.yml file for offline installs.
  • SSH Updates - Remediate has been updated to enable SSH access to hosts that use CBC ciphers.
  • Container DNS issue - Remediate has now been updated to fix a DNS issue where the container added ndots configuration to the /etc/resolv.conf file.
  • Qualys API integration - Remediate is now able to parse human-readable durations used by the Qualys API that may be reported during daylight savings.

Known security issues and vulnerabilities:

The following medium severity CVEs (according to NIST NVD CVSS v3) may be detected by your in-house security scanner:

CVE Details
CVE-2019-18348 An issue was discovered in urllib2 in Python 2.x through 2.7.17 and urllib in Python 3.x through 3.8.0.

CRLF injection is possible if the attacker controls a URL parameter, as demonstrated by the first argument tourllib.request.urlopen with \r\n (specifically in the host component of a URL) followed by an HTTP header. This is similar to the CVE-2019-9740 query string issue and the CVE-2019-9947 path string issue. (This is not exploitable when glibc has CVE-2016-10739 fixed.)

CVE-2019-13050 Interaction between the sks-keyserver code through 1.2.0 of the SKSkeyserver network, and GnuPG through 2.2.16, makes it risky to have a GnuPG keyserver configuration line referring to a host on the SKS keyserver network. Retrieving data from this network may cause a persistent denial of service, because of a Certificate Spamming Attack.
CVE-2019-13627 It was discovered that there was a ECDSA timing attack in the libgcrypt20 cryptographic library. Version affected: 1.8.4-5, 1.7.6-2+deb9u3, and 1.6.3-2+deb8u4. Versions fixed: 1.8.5-2 and 1.6.3-2+deb8u7.
CVE-2018-19591 In the GNU C Library (aka glibc or libc6) through 2.28, attempting to resolve a crafted hostname via getaddrinfo() leads to the allocation of a socket descriptor that is not closed. This is related to the if_nametoindex() function.
CVE-2018-20839 systemd 242 changes the VT1 mode upon a logout, which allows attackers to read clear-text passwords in certain circumstances, such as watching a shutdown, or using Ctrl-Alt-F1 and Ctrl-Alt-F2. This occurs because the KDGKBMODE (aka current keyboard mode) check is mishandled.
CVE-2018-11237 An AVX-512-optimized implementation of the mempcpy function in the GNU C Library (aka glibc or libc6) 2.27 and earlier may write data beyond the target buffer, leading to a buffer overflow in __mempcpy_avx512_no_vzeroupper.
CVE-2018-11236 stdlib/canonicalize.c in the GNU C Library (aka glibc or libc6) 2.27 and earlier, when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution.

Version 1.1.0

Released 31 October 2019

New in this release:

  • support - Remediate now supports the (Security Center) vulnerability scanner.
  • Multi-user support - User management in Remediate has been completely updated. Administrators can now:
    • Create and manage multiple users accounts.
    • Assign different group privileges to user accounts.
    • Configure Remediate to work with LDAP or Active Directory servers.
  • RBAC Permissions - Assign user privileges to:
    • Add, remove, or run tasks
    • Add or remove credentials
    • Add or remove sources
  • Remediation workflow improvements - The vulnerability remediation workflow has been improved and additional information on the vulnerability and the steps needed to remediate it are provided.

Resolved issues in this release:

  • Offline install not working - The -o flag has been introduced to the remediate start command to ensure you can start remediate when there is no internet access.
  • OpenSSH private key support - Remediate now supports the latest version of OpenSSH private keys.

Version 1.0.1

Released 1 August 2019.

This is the initial release of Remediate.

Known issues:

  • Unable to install Remediate on Debian8 with the default kernel module. Upgrade to Kernal 4.9 and install Remediate again.
  • Network discovered nodes being shown as cloud instances. Hosts discovered via their IP address will be counted as a cloud instance and visible in the top cloud instance by region card.
  • Due to inconsistent DNS lookups, tasks fail to run on discovered hosts. When discovered hosts are running on the same domain, an inconsistent DNS lookup between discovering hosts and running tasks on discovered hosts results in tasks failing.
  • In a multi-network environment, the first discovery run might not identify the IP or hostname. Wait for the second discovery run, which happens automatically after four hours.